一、构造如下SM2签名算法过程1
Sig1 r1 = F2BFC778C66127C74E3613FAA1AB6E207059740B317597A78BBFCDF58AED0A51
Sig1 s1 = 4FC719D00334CCC23098036DEEAA71DB464A076EFA79283389D3414D70659E88
私钥d = B3124DC843BB8BA61F035A7D0938251F5DD4CBFC96F5453B130D890A1CDBAE32
公钥P = DC9A1F6E4334DDAC74E5104AC1797B3372A765E94B0C1DAC6032CDB0934758D21AB40618825661CAD4C8542D0736101B9975C7FE23A67B00BEC38587B202C5FA
用户身份ID = 1234567812345678
待签名消息M = 12345678901234567890
随机数k = 0000000000000000000000000000000000000000000000000000000000000123
二、构造如下SM2签名算法过程2
Sig1 r2 = 000E4A9838E4FCF75507F3EA012B7D2C9D7C6D76B9F1B1EE18D8A6F238991653
Sig1 s2 = 21B3190B669F6ABA735726BF140ABF6F52E6C3273DA3B461178E7D9A980D21AE
私钥d = B3124DC843BB8BA61F035A7D0938251F5DD4CBFC96F5453B130D890A1CDBAE32
公钥P = DC9A1F6E4334DDAC74E5104AC1797B3372A765E94B0C1DAC6032CDB0934758D21AB40618825661CAD4C8542D0736101B9975C7FE23A67B00BEC38587B202C5FA
用户身份ID = 1234567812345678
待签名消息M = 1234567890AB1234567890AB
随机数k = 0000000000000000000000000000000000000000000000000000000000000123
以上两次SM2签名过程中随机数k相同,在对手获得两次签名结果Sig1和Sig2的情况下,能否计算出私钥d?
由SM2签名算法可知
(1)s1 = (k-r1d)/(1+d) mod n
(2)s2 = (k-r2d)/(1+d) mod n
(3)s1-s2 = (r2-r1)d/(1+d) mod n
(4)d = (s1-s2)/[(r2-r1)-(s1-s2)] mod n
(5)n = FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123,(具体见GMT 0003.5-2012 SM2 椭圆曲线公钥密码算法第5部分:参数定义)
到此,若k为固定值时私钥d可以在Sig1、Sig2和n已知的情况下能够被推导出来。下面具体计算
(1)s1-s2 mod n = 2E1400C49C956207BD40DCAEDA9FB26BF3634447BCD573D27244C3B2D8587CDA
(2)r2-r1 mod n = 0D4E831E7283D53006D1DFEF5F800F0B9F26D8D6AA421F71E0D4CD05E7814D25
(3)[(r2-r1)-(s1-s2)] mod n = DF3A8258D5EE73284991034084E05C9F1DC773FA0F32B0CAC24BFD5C48FE116E
(4)1/[(r2-r1)-(s1-s2)] mod n,也就是DF3A8258D5EE73284991034084E05C9F1DC773FA0F32B0CAC24BFD5C48FE116E的逆元=
E5E3D3B7FF47A46B11EC572C81242A0915AC5A01EEEF04DB30E1FA62421CD2D
(5)d = 2E1400C49C956207BD40DCAEDA9FB26BF3634447BCD573D27244C3B2D8587CDA * E5E3D3B7FF47A46B11EC572C81242A0915AC5A01EEEF04DB30E1FA62421CD2D mod n =
B3124DC843BB8BA61F035A7D0938251F5DD4CBFC96F5453B130D890A1CDBAE32
用户私钥d被完整推导出来,由此可见随机数k的随机性对于SM2密码算法安全非常重要。